RH 9, running squid and Dan's Guardian. How to block port 80? Students are bypassing squid and getting strait out to the net. IPchains was set up originally, but has lost it settings and know does not want to work. Cheers Terry Cole Rotorua, New Zealand mailto:terry(a)cole.gen.nz mailto:kay(a)cole.gen.nz http://www.cole.gen.nz http://www.websnz.com
Terry Cole wrote:
RH 9, running squid and Dan’s Guardian.
How to block port 80?
Students are bypassing squid and getting strait out to the net.
IPchains was set up originally, but has lost it settings and know does not want to work.
You might want to consider transparent proxying... http://www.tldp.org/HOWTO/TransparentProxy.html -- Matthias
RH 9, running squid and Dan’s Guardian.
How to block port 80?
Students are bypassing squid and getting strait out to the net.
IPchains was set up originally, but has lost it settings and know does not want to work.
Hi Terry Red Hat Linux 9 uses the 2.4 series kernel, which uses iptables for its firewalling. (ipchains was used in 2.2 kernels, and while support for it can be compiled in, it's recommended that people use iptables.) You need to block port 80 on the gateway machine, which I assume is already running a firewall of some sort to masquerade (and is also running squid). If not, the advice might need to be modified slightly. The simplest way is much like: # iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REJECT Replace $INTIF with eth0, etc, for the interface of your internal network. You might also want to look at using DNAT to redirect anything that isn't from the squid machine, to the squid port. That way even if people don't use the proxy, they're using the proxy. (Which is also Matthias's suggestion (which arrived while I was writing mine)): # iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 \ -j REDIRECT --to-port 3128 Craig
RH 9, running squid and Dan’s Guardian.
How to block port 80?
Students are bypassing squid and getting strait out to the net.
IPchains was set up originally, but has lost it settings and know does not want to work.
Is there any reason your internal machines need to connect to the Internet direct? You want to enforce proxy usage for web/ftp traffic, are there any legitimate reasons internal machines will have for directly traversing your border? If not, dont set a default route, and dont forward packets for those machines. This has the added bonus of stopping any virus propagation (if an internal machine gets infected, it wont start connecting to a zillion random hosts on the Internet as it doesn't have a default route!). I do this at one school at it works fine. We have internal mail, and the only valid Internet-bound traffic from any of the machines is http/ftp. It also stops people using kazaa or instant messenger (until they work out to use http proxies for those things, anyway)
participants (4)
-
Craig Box -
Daniel Lawson -
Matthias Dallmeier -
Terry Cole